m (note about OpenSSH format) |
No edit summary |
||
Line 56: | Line 56: | ||
user@server$ ssh-keygen -t rsa | user@server$ ssh-keygen -t rsa | ||
user@server$ ipa user-add | user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey=‘cat .ssh/id_rsa.pub‘ | ||
Verify that the user entry has the correct SSH public key set: | Verify that the user entry has the correct SSH public key set: | ||
user@server$ ipa user-show | user@server$ ipa user-show sshuser | ||
User login: | User login: sshuser | ||
First name: | First name: SSH | ||
Last name: | Last name: User | ||
Home directory: /home/ | Home directory: /home/sshuser | ||
Login shell: /bin/sh | Login shell: /bin/sh | ||
UID: | UID: 12345678 | ||
GID: | GID: 12345678 | ||
Account disabled: False | Account disabled: False | ||
SSH public key fingerprint: <span style="color: blue">38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04</span> user@server.ipa.example.com (ssh-rsa) | SSH public key fingerprint: <span style="color: blue">38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04</span> user@server.ipa.example.com (ssh-rsa) | ||
Line 76: | Line 76: | ||
user@server$ ssh-keygen -l -f .ssh/id_rsa.pub | user@server$ ssh-keygen -l -f .ssh/id_rsa.pub | ||
2048 <span style="color: blue">38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04</span> user@server.ipa.example.com (RSA) | 2048 <span style="color: blue">38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04</span> user@server.ipa.example.com (RSA) | ||
Generate another SSH keypair on <code>client.ipa.example.com</code>: | |||
user@client$ ssh-keygen -t rsa | |||
user@client$ cat .ssh/id_rsa.pub | |||
<span style="color: purple">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.com</span> | |||
Add the public key to <code>sshuser</code>: | |||
user@server$ ipa user-mod sshuser --addattr ipasshpubkey='<span style="color: purple">ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.com</span>' | |||
You can experiment further with <code>ipa user-add</code>, <code>ipa user-mod</code>, <code>ipa host-add</code>, <code>ipa host-mod</code> commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see <code>man sshd</code>) using the <code>--sshpubkey</code> option. Note that you can't use <code>--sshpubkey</code> to add or delete public keys of a user or host, you have to use <code>--addattr ipasshpubkey=...</code> or <code>--delattr ipasshpubkey=...</code> instead. | You can experiment further with <code>ipa user-add</code>, <code>ipa user-mod</code>, <code>ipa host-add</code>, <code>ipa host-mod</code> commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see <code>man sshd</code>) using the <code>--sshpubkey</code> option. Note that you can't use <code>--sshpubkey</code> to add or delete public keys of a user or host, you have to use <code>--addattr ipasshpubkey=...</code> or <code>--delattr ipasshpubkey=...</code> instead. | ||
Line 83: | Line 94: | ||
Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from <code>server.ipa.example.com</code> to <code>client.ipa.example.com</code> and vice-versa: | Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from <code>server.ipa.example.com</code> to <code>client.ipa.example.com</code> and vice-versa: | ||
user@server$ ssh | user@server$ ssh sshuser@client | ||
user@client$ ssh | user@client$ ssh sshuser@server | ||
Both these commands should work without any warnings or errors and should '''NOT''' prompt for verification of host identity or password. | Both these commands should work without any warnings or errors and should '''NOT''' prompt for verification of host identity or password. |
Revision as of 07:29, 13 September 2012
Description
SSH public key management and OpenSSH integration.
Setup
- Make sure you have SSSD 1.9.0beta7 or later installed (Koji build).
- Install FreeIPA server with DNS on one machine,
server.ipa.example.com
, and FreeIPA client on another machine,client.ipa.example.com
(see Basic installation tests).
How to test
Verify installation
First authenticate as admin:
user@server$ kinit admin
Verify that the host entry of server.ipa.example.com
has the correct SSH public keys set:
user@server$ ipa host-show server.ipa.example.com --all Host name: server.ipa.example.com Principal name: host/server.ipa.example.com@IPA.EXAMPLE.COM SSH public key fingerprint: 5A:CE:70:8F:A3:AF:57:C1:D1:C0:C6:28:FC:D4:42:07 (ssh-dss), 76:2B:1F:98:1C:02:EE:29:43:C1:18:FD:75:57:36:8F (ssh-rsa) Password: False Keytab: True Managed by: server.ipa.example.com user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub 1024 5a:ce:70:8f:a3:af:57:c1:d1:c0:c6:28:fc:d4:42:07 (DSA) user@server$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 76:2b:1f:98:1c:02:ee:29:43:c1:18:fd:75:57:36:8f (RSA)
The same procedure can be used to verify host public keys of client.ipa.example.com
.
Verify that DNS SSHFP records were updated correctly:
user@server$ dig +short server.ipa.example.com SSHFP 2 1 D017B7B96C1CF0DC9A9CC317AED198EBE61C8369 1 1 EEA71C381935401361301366B2E4E2627CB470CD user@server$ ssh-keygen -r server.ipa.example.com -f /etc/ssh/ssh_host_dsa_key.pub server.ipa.example.com IN SSHFP 2 1 d017b7b96c1cf0dc9a9cc317aed198ebe61c8369 user@server$ ssh-keygen -r server.ipa.example.com -f /etc/ssh/ssh_host_rsa_key.pub server.ipa.example.com IN SSHFP 1 1 eea71c381935401361301366b2e4e2627cb470cd
Again, the same procedure can be used to verify DNS SSHFP records of client.ipa.example.com
.
Public key management
Generate a SSH keypair and create new FreeIPA user with the public key set:
user@server$ ssh-keygen -t rsa user@server$ ipa user-add sshuser --first=SSH --last=User --sshpubkey=‘cat .ssh/id_rsa.pub‘
Verify that the user entry has the correct SSH public key set:
user@server$ ipa user-show sshuser User login: sshuser First name: SSH Last name: User Home directory: /home/sshuser Login shell: /bin/sh UID: 12345678 GID: 12345678 Account disabled: False SSH public key fingerprint: 38:FA:5A:79:DF:21:D6:C6:EC:F0:5C:98:8A:4F:AF:04 user@server.ipa.example.com (ssh-rsa) Password: False Member of groups: ipausers Kerberos keys available: False user@server$ ssh-keygen -l -f .ssh/id_rsa.pub 2048 38:fa:5a:79:df:21:d6:c6:ec:f0:5c:98:8a:4f:af:04 user@server.ipa.example.com (RSA)
Generate another SSH keypair on client.ipa.example.com
:
user@client$ ssh-keygen -t rsa
user@client$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.com
Add the public key to sshuser
:
user@server$ ipa user-mod sshuser --addattr ipasshpubkey='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcuiedn5g9vECbjDaboheZ6yZ/ra6fM0YlAzS6bEh6HsH64AaQRih29L0sWygCIjhTPxO4gIaAzC4mrZjFnMbV3GPWhEisU33vJ8fqSmQZaAWAyV+aNIWMZRHIMgvBf+sTPYiMCzH7hkzDjljKHOTnMoDoOJ8cCNalC+KxDfSDDEulo/hmEYNTDQHrQJMtu+X3h7Z/EGbmeYlTFzneNZ/E6BkfCU/as3ViRy+DwKAZ2NPpozh/AEkVEVr76zoqMYuuqk5cyhXDJFeve/qJjBK/JqaGanPk8bxqpYYk6MbNXfP70HBP+8FAZaj53tJBYCB2aIc8+ZlF3z2ZCrh4hUKt user@client.ipa.example.com'
You can experiment further with ipa user-add
, ipa user-mod
, ipa host-add
, ipa host-mod
commands, all of them allow setting SSH public keys (in OpenSSH authorized_keys format, see man sshd
) using the --sshpubkey
option. Note that you can't use --sshpubkey
to add or delete public keys of a user or host, you have to use --addattr ipasshpubkey=...
or --delattr ipasshpubkey=...
instead.
OpenSSH integration
Now that public keys for both hosts and user are set, you can try using ssh to log in remotely from server.ipa.example.com
to client.ipa.example.com
and vice-versa:
user@server$ ssh sshuser@client
user@client$ ssh sshuser@server
Both these commands should work without any warnings or errors and should NOT prompt for verification of host identity or password.
Expected Results
All the test steps should end with the specified results.